New vulnerabilities have been found in 31 models of Netgear routers that could allow an attacker to discover or completely bypass any password on a Netgear router, giving them complete control of the router, including the ability to change configuration, turn infected routers into botnets or even upload entirely new firmware.
These new bugs come not too long after flaws discovered in Netgear devices in December, which were “command injection” based, showing the increasing severity of the issue in use of these routers.
In a blog post by researchers at Trustwave, the issues were discovered one day when Simon Kenin, security researcher at Trustwave, was trying to access the web interface of his Netgear VEGN2610 router and couldn't remember the password for it.
He started “manually fuzzing” the web server with different parameters, he discovered a file called “unauth.cgi”.
“I started looking up what that “unauth.cgi” page could be, and I found two publicly disclosed exploits from 2014, for different models that manage to do unauthenticated password disclosure. Booyah! Exactly what I need,” he said. “Those two guys found out that the number we get from unauth.cgi can be used with passwordrecovered.cgi to retrieve the credentials.”
Kenin said he tested it with a different Netgear router and got the same results. He admitted that he even managed to make an error in coding and still managed to unearth credentials.
“This is a totally new bug that I haven't seen anywhere else. When I tested both bugs on different Netgear models, I found that my second bug works on a much wider range of models.”
Kenin said the flaws affect many models. “We have found more than ten thousand vulnerable devices that are remotely accessible. The real number of affected devices is probably in the hundreds of thousands, if not over a million.”
The vulnerability can be used by a remote attacker if remote administration is set to be internet facing. By default, this is not turned on. However, anyone with physical access to a network with a vulnerable router can exploit it locally. This would include public Wi-Fi spaces like cafés and libraries using vulnerable equipment.
“As many people reuse their password, having the admin password of the router gives us an initial foothold on the network. We can see all the devices connected to the network and try to access them with that same admin password,” he said.
He added that it is possible that some of the vulnerable routers could be infected and ultimately used as bots as well.
Kenin said a full description of the flaws as well as a testing script can be found here.
Asad Naveed, security consultant at Nettitude, told SC Media UK that small office and home routers do not often go through stringent security testing before they are put onto the market, allowing for vulnerabilities such as authentication bypass and in extreme cases, remote code execution, being discovered by researchers.
“Once the vulnerabilities are identified and exploits become available the affected routers are at a risk of compromise until the vendor has released a patch, which is then applied to the router,” he said.
He added that vendors need to take responsibility to harden the configuration of routers as appropriate without affecting out-of-the-box operability.
“More emphasis needs to be placed on manufacturers to prevent common vulnerabilities instead of relying on the consumer to harden configuration. Manufacturers could also request the assistance of security researchers prior to the routers making their way to the production line to ensure that the firmware is secure,” said Naveed.
Check Point's regional director for Northern Europe, Nick Lowe told SC that the exploit has similarities to the ‘Misfortune Cookie' flaw that was identified in over 12 million routers from vendors including D-Link, Edimax, Huawei, TP-Link, ZTE and ZyXEL, in late 2014.
“The problem with these types of vulnerability is that the vendor's patch propagation cycle for embedded software is incredibly slow, and often relies on the user applying the patch. So users should ensure they have a two-way firewall installed on any computer on their network, to block malicious activity from a hacked router. They should also consider adding privacy to browsing by using HTTPS connections to encrypt all browser activity,” he said.
Mike Ahmadi, global director of critical systems security at Synopsys, told SC that his firm has tested many routers and firewalls over the last decade, and have found vulnerabilities numbering in the thousands, using both fuzz testing and software composition analyses.
“Vendors typically build such devices for the stated functionality, which is to route traffic and block unwanted traffic, when used as intended,” he said.
“What many vendors fail to do, however, is adequately assess the inherent security of the devices they sell, thereby flooding the market with vulnerable devices. Some vendors have taken it upon themselves to address the inherent vulnerabilities, but the end user is often left guessing which devices are adequately tested, since there is currently no regulatory requirement to test to a given level of rigor, and any attempt to force such regulations are met with extreme resistance.”